Hi list,
I was motivated to look more carefully at the question of the security of using
signature adaptors after recently getting quite enthused about the idea of
using adaptors across N signing sessions to do a kind of multiparty swap. But
of course security analysis is also much more importan
Hi waxwing,
I think your view of the uselessness of single signer adaptors is too
pessimistic. The claim you make is that they "don't provide a way to
create enforcement that the publication of signature on a pre-defined
message will reveal a secret'' and so are useless. I think this is wrong.
If
Hi Lloyd,
thanks for taking a look.
> I think your view of the uselessness of single signer adaptors is too
> pessimistic. The claim you make is that they "don't provide a way to create
> enforcement that the publication of signature on a pre-defined message will
> reveal a secret'' and so are
Hi Lloyd and list,
While on the road and re-downloading the papers, I realised there is a "new"
paper published December 2022 by Wei Dai, Okamoto and Yamamoto on this same
topic:
https://eprint.iacr.org/2022/1687
and, strikingly, it focuses on the exact same point I made here in Section 3 -
n
Hi Waxwing,
On Tue, 2 May 2023 at 02:37, AdamISZ wrote:
> Hi Lloyd,
> thanks for taking a look.
>
> > I think your view of the uselessness of single signer adaptors is too
> pessimistic. The claim you make is that they "don't provide a way to create
> enforcement that the publication of signatur
Hi Lloyd,
> Yes but suppose you do *not* create another signature adaptor or otherwise on
> m. Since you've only generated one adaptor signature on m and no other
> signatures on m there is no possibility that a signature on m that appears
> under your key would not reveal y to you. This is an
On Thu, 11 May 2023 at 13:12, AdamISZ wrote:
>
> A sidebar, but it immediately brings it to mind: the canonical adaptor
> based swap, you can do it with only one half being multisig like this,
> right? Alice can encrypt the single-key signature for her payment to Bob,
> with the encryption key be
> I think the problem is that Alice can still move the funds even if Bob
> decrypts and broadcasts by revealing s if she gets confirmed first.
Indeed. Imagine forgetting that, couldn't be me :)
> I think you always need a multisig in these kinds of situations but it need
> not be a key aggregate
